Uploaded by timothydada16

VPN and firewall

advertisement
Network Security:
Firewall, VPN, IDS/IPS, SIEM
Ahmet Burak Can
Hacettepe University
abc@hacettepe.edu.tr
Information Security
1
What is a Firewall?
A firewall is hardware, software, or a combination of
both that is used to prevent unauthorized programs or
Internet users from accessing a private network and/or
a single computer
Information Security
2
What is a Firewall ?
A firewall :
Internet
◦ Acts as a security gateway
between two networks
◦ Tracks and controls network
communications
Decides whether to pass,
reject, encrypt, or log
communications (Access
Control)
“Allow traffic
Traffic
“Block
to Internet”
from
Internet”
Corporate
Site
3
Information Security
Hardware vs. Software Firewalls
Hardware Firewalls
◦ Protect an entire network
◦ Implemented on the router level
◦ Usually more expensive, harder to configure
Software Firewalls
◦ Protect a single computer
◦ Usually less expensive, easier to configure
Information Security
4
Evolution of Firewalls
Stateful
Inspection
Application
Proxy
Packet
Filter
Stage of Evolution
Information Security
5
Packet Filter
Packets examined at the network layer
Useful “first line” of defense - commonly deployed on
routers
Simple accept or reject decision model
No awareness of higher protocol layers
Applications
Applications
Applications
Presentations
Presentations
Presentations
Sessions
Sessions
Sessions
Transport
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
Information Security
6
Packet Filter
Simplest of components
Uses transport-layer information only
◦ IP Source Address, Destination Address
◦ Protocol/Next Header (TCP, UDP, ICMP, etc)
◦ TCP or UDP source & destination ports
◦ TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
◦ ICMP message type
Examples
◦ DNS uses port 53
No incoming port 53 packets except known trusted servers
Information Security
7
How to Configure a Packet Filter
Start with a security policy
Specify allowable packets in terms of logical expressions
on packet fields
Rewrite expressions in syntax supported by your
vendor
General rules - least privilege
◦ All that is not expressly permitted is prohibited
◦ If you do not need it, eliminate it
Information Security
8
Packet Filter Configuration - 1
Every ruleset is followed by an implicit rule reading like this.
action
src
block
*
port
dest
port
flags
*
*
*
*
comment
default
Suppose we want to allow inbound mail (SMTP, port 25)
but only to our gateway machine. Also suppose that
mail from some particular site SPIGOT is to be blocked.
Information Security
9
Packet Filter Configuration - 2
action src
port dest
por
t
flags
comment
block
SPIGOT
*
*
*
*
We don’t trust
these site
allow
*
*
OUR-GW
25
*
Connection to our
SMTP port
Example 2:
Now suppose that we want to implement the policy “any
inside host can send mail to the outside”.
Information Security
10
Packet Filter Configuration - 3
action src
allow
port dest
*
*
*
por
t
flags
25
*
comment
Connection to
outside SMTP port
This solution allows calls from any port on an inside
machine, and will direct them to port 25 on an outside
machine.
So why is it wrong?
Information Security
11
Packet Filter Configuration - 4
Our defined restriction is based solely on the
destination’s port number.
With this rule, an enemy can access any internal
machines on port 25 from an outside machine.
What can be a better solution ?
Information Security
12
Packet Filter Configuration - 5
action src
port dest
por
t
flags
*
allow
{our hosts}
*
*
25
allow
*
25
*
*
comment
Connection to
outside SMTP port
ACK SMTP replies
The first rule restricts that only inside machines can
access to outside machines on port 25.
In second rule, the ACK signifies that the packet is part
of an ongoing conversation.
◦ Packets without ACK are connection establishment messages,
which are only permited from internal hosts by the first rule.
◦ With the second rule, outside hosts can send back packets to
inside hosts on port 25.
Information Security
13
Application Gateway or Proxy
Packets examined at the application layer
Application/Content filtering possible - prevent FTP
“put” commands, for example
Modest performance
Scalability limited
Applications
Applications
Applications
Presentations
Presentations
Presentations
Sessions
Sessions
Sessions
Transport
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
Information Security
14
Stateful Inspection
Packets Inspected between data link layer and network layer in the
OS kernel
State tables are created to maintain connection context
Invented by Check Point
Applications
Applications
Presentations
Applications
Presentations
Sessions
Presentations
Sessions
Transport
Sessions
Transport
Network
Transport
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
INSPECT Engine
Information Security
Dynamic
StateDynamic
Tables
StateDynamic
Tables
State Tables
15
Network Address Translation (NAT)
192.172.1.1-192.172.1.254
Internal
IP Addresses
Corporate LAN
219.22.165.1
Internet
Public
IP Address(es)
Converts a network’s illegal IP addresses to legal or
public IP addresses
◦ Hides the true addresses of individual hosts, protecting them
from attack
◦ Allows more devices to be connected to the network
Information Security
16
Firewall Deployment
Corporate Network
Gateway
Internal Segment
Gateway
Internet
Public Servers
Demilitarized Zone
(Publicly-accessible
servers)
◦ Protect sensitive
segments (Finance, HR,
Product Development)
◦ Provide second layer of
defense
◦ Ensure protection
against internal attacks
and misuse
Human Resources
Network
Internal Segment Gateway
Corporate
Site
Information Security
17
What is a VPN?
Acme Corp
Acme
Site Corp
1
A VPN is a private
connection over an open
network
A VPN includes
authentication and
encryption to protect
data integrity and
confidentiality
VPN
Internet
VPN
Acme Corp
Site 2
Information Security
18
Types of VPNs
Remote Access VPN
◦ Provides access to internal
corporate network over the
Internet
◦ Reduces long distance,
modem bank, and technical
support costs
◦ PAP,CHAP,RADIUS
Information Security
Corporate
Site
Internet
19
Types of VPNs
Corporate
Site
Remote Access VPN
Site-to-Site VPN
◦ Connects multiple offices
over Internet
◦ Reduces dependencies on
frame relay and leased lines
Internet
Branch
Office
Information Security
20
Types of VPNs
Corporate
Site
Remote Access VPN
Site-to-Site VPN
Extranet VPN
◦ Provides business partners
access to critical information
(leads, sales tools, etc)
◦ Reduces transaction and
operational costs
Internet
Partner #2
Partner #1
Information Security
21
Types of VPNs
Remote Access VPN
Database
Server
Site-to-Site VPN
Extranet VPN
Client/Server VPN
LAN
clients
Internet
◦ Protects sensitive internal
communications
LAN clients with
sensitive data
Information Security
22
Overview of IDS/IPS
Intrusion
◦ A set of actions aimed at compromising the security goals
(confidentiality, integrity, availability of a computing/networking
resource)
Intrusion detection
◦ The process of identifying and responding to intrusion activities
Intrusion prevention
◦ The process of both detecting intrusion activities and managing
responsive actions throughout the network.
Information Security
23
Overview of IDS/IPS
Intrusion detection system (IDS)
◦ A system that performs automatically the process of intrusion
detection.
Intrusion prevention system (IPS)
◦ A system that has an ambition to both detect intrusions and
manage responsive actions.
◦ Technically, an IPS contains an IDS and combines it with
preventive measures (firewall, antivirus, vulnerability assessment)
that are often implemented in hardware.
Information Security
24
Components of Intrusion Detection System
system activities are
observable
Audit Records
Audit Data
Preprocessor
Activity Data
Detection
Models
Detection Engine
Alarms
Decision
Table
Information Security
Decision Engine
normal and intrusive
activities have distinct
evidence
Action/Report
25
Intrusion Detection Approaches
Modeling
◦ Features: evidences extracted from audit data
◦ Analysis approach: piecing the evidences together
Misuse detection (a.k.a. signature-based)
Anomaly detection (a.k.a. statistical-based)
Deployment: Network-based or Host-based
◦ Network based: monitor network traffic
◦ Host based: monitor computer processes
Information Security
26
Security Information and Event Management
(SIEM)
LMS - “Log Management System” – a system that collects and store Log Files (from
Operating Systems, Applications, etc) from multiple hosts and systems into a single
location, allowing centralized access to logs instead of accessing them from each system
individually.
SLM /SEM– “Security Log/Event Management” – an LMS, but marketed towards
security analysts instead of system administrators. SEM is about highlighting log entries as
more significant to security than others.
SIM – “Security Information Management” - an Asset Management system, but with
features to incorporate security information too. Hosts may have vulnerability reports
listed in their summaries, Intrusion Detection and AntiVirus alerts may be shown mapped
to the systems involved.
SEC - “Security Event Correlation” – To a particular piece of software, three failed
login attempts to the same user account from three different clients, are just three lines in
their logfile. To an analyst, that is a peculiar sequence of events worthy of investigation, and
Log Correlation (looking for patterns in log files) is a way to raise alerts when these
things happen.
SIEM – “Security Information and Event Management” – SIEM is the “All of the
Above” option, and as the above technologies become merged into single products,
became the generalized term for managing information generated from security controls
and infrastructure. We’ll use the term SIEM for the rest of this presentation
Information Security
27
Background on Network Components
Router
Switch (L2 & L3)
Servers (Application, Database, etc.)
Firewall
Demilitarized Zone (DMZ)
Virtual Private Network
IPS/IDS
28
Defense in Depth
29
Typical Corporate Environment
30
Log Management
Log management (LM) comprises an approach to dealing
with large volumes of computer-generated log messages
(also known as audit records, audit trails, event-logs, etc.).
LM covers log collection, centralized aggregation, long-term
retention, log analysis (in real-time and in bulk after storage)
as well as log search and reporting.
31
Log Management
32
Log Management Challenges
Analyzing Logs for Relevant Security Intelligence
Centralizing Log Collection
Meeting IT Compliance Requirements
Conducting Effective Root Cause Analysis
Making Log Data More Meaningful
Tracking Suspicious User Behavior
33
Introduction to SIEM
The term Security Information Event Management (SIEM),
coined by Mark Nicolett and Amrit Williams of Gartner in
2005.
Describes the product capabilities of gathering, analyzing and
presenting information from network and security devices;
identity and access management applications; vulnerability
management and policy compliance tools; operating system,
database and application logs; and external threat data.
Security Information and Event Management (SIEM) is a term
for software and products services combining security
information management (SIM) and security event manager
(SEM).
34
Key Objectives
Identify threats and possible breaches
Collect audit logs for security and compliance
Conduct investigations and provide evidence
35
SIEM vs LM
Functionality
Log collection
Security Information and Event Log Management
Management (SIEM)
(LM)
Log preprocessing
Collect security relevant logs +
context data
Parsing, normalization,
categorization, enrichment
Collect all logs
Indexing, parsing or
none
Log retention
Retail parsed and normalized data
Retain raw log data
Reporting
Analysis
Security focused reporting
Correlation, threat scoring, event
prioritization
Broad use reporting
Full text analysis,
tagging
Alerting and
notification
Advanced security focused
reporting
Simple alerting on all
logs
Other features
Incident management, analyst
workflow, context analysis, etc.
High scalability of
collection and
storage
36
A SIEM Scenario
SIEM Process Flow
Data
Collection
Extract
Intelligent
Information
Add Value
Presentation
Dashboards
& Reports
38
Typical Working of an SIEM Solution
39
SIEM Architecture
System Inputs
Event Data
Operating Systems
Applications
Devices
Databases
Contextual Data
Vulnerability Scans
User Information
Asset Information
Threat Intelligence
SIEM
Data
Collection
Normalization
Correlation
Logic/Rules
Aggregation
System Outputs
Analysis
Reports
Real Time Monitoring
40
Typical Features of SIEM
41
Context
42
Adding Context
Examples of context
◦ Add geo-location information
◦ Get information from DNS servers
◦ Get User details (Full Name, Job Title & Description)
Add context aids in identifying
◦ Access from foreign locations
◦ Suspect data transfer
43
How a Log File is Generated in your
Network
The Beauty of Log Correlation
Log Correlation is the difference between:
“14:10 7/4/20110 User BRoberts Successful Auth to
10.100.52.105 from 10.10.8.22”
and…
“An Account belonging to Marketing connected to an
Engineering System from an office desktop, on a day
when nobody should be in the office”
Why is SIEM Necessary?
Rise in data breaches due to internal and external
threats
Attackers are smart and traditional security tools just
don’t suffice
Mitigate sophisticated cyber-attacks
Manage increasing volumes of logs from multiple
sources
Meet stringent compliance requirements
46
Download